Security Experts:

Why the BlackBerry PlayBook Shows Us The Future of Enterprise Security -- Especially if it Fails

Information security commentators love to predict what the future will bring. But change is almost always gradual. It’s much harder to spot points in time where markets change sharply — what former Intel Andy Grove CEO calls inflection points. We have a security inflection point staring us in the face: October 19th, 2011, six months from today, the day which happens to be the official launch date for RIM’s PlayBook tablet. When October arrives, we will know what the next five years of enterprise information security will look like. Here’s the premise:

BlackBerry PlayBook Shows Us The Future of Enterprise Security -- Especially if it Fails• A significant portion of enterprise computing is moving to Post-PC devices such as smartphones and tablets

• Consumer-centric vendors, notably Apple, are running away with the market

• Microsoft, the incumbent desktop operating system vendor, is missing in action

• The PlayBook is RIM’s best opportunity to remain relevant in the Post-PC world

• If the PlayBook fails to be a hit, Apple (and possibly Google) win by default

• If established enterprise vendors are locked out, the security model for the next five years shifts radically towards securing consumer devices that companies don't own

Let’s explore each of these points in turn.

A significant portion of enterprise computing is moving to Post-PC devices. The availability of cheap bandwidth, ubiquitous connectivity and new technologies have resulted in a new generation of computing devices. “Post PC” smartphones and tablets like Apple’s iPad are powerful, pocketable and affordable. Data from IDC, Garter and Forrester all agree: customers will buy more Post-PC smartphones and tablets in 2011 than traditional PCs. IDC’s data for Q1 2011, for example, shows that “media tablets” — an analyst euphemism that means “the iPad”, because Apple has the market to itself — helped explain why the PC market shrunk last quarter. As IDC’s Jay Chou put it in a recent research note, “’Good-enough computing’ has become a firm reality, exemplified first by Mini Notebooks and now Media Tablets.” Simply put, Post-PC devices do less than traditional PCs, but do them in more places. And that is changing how we work.

Consumer-centric vendors, notably Apple, are running away with the market. In the consumer market for smartphones — the first type of Post-PC device — Apple and Android smartphones now comprise the majority of devices sold. In the newer tablet market, Forrester forecasts that the iPad will have 80% of the market through 2012. Gartner expects that Apple will have the market largely to itself through at least 2015, and will sell nearly 55% of the total 500 million tablets expected to be sold over the next five years. For all of the protestations of vendors like Dell, Apple has the market to itself for now. Android is likely to be a strong second choice; Gartner expects tablets based on Android to comprise about 30% of the installed base for tablets.

Microsoft, the incumbent desktop operating system vendor, is missing in action. The Windows operating system runs on 95% of corporate desktops, but is a non-factor in the tablet market. Microsoft’s first credible operating system that works well in tablet formats won’t be released until mid-2012 at the earliest , giving Apple a 130-million unit head start. Moreover, Microsoft’s tablet OS will be squeezed hard by Android Honeycomb devices when OEMs start shipping them in volume later this year. It’s hard to see how Microsoft can come to the game two years late and expect to take significant share.

The PlayBook is RIM’s best opportunity to remain relevant in the Post-PC world. The PlayBook, built on top of the real-time microkernel operating system QNX, is designed to run business-class e-mail, mobile apps and consumer multimedia applications. It will tether with an existing BlackBerry device, likely comply with FIPS and work with your office e-mail system. RIM believes that improved security will be the primary reason why enterprises will prefer it to less-serious devices like the iPad. As RIM co-CEO Jim Balsillie put it: “Corporate security officers and CIOs are having heart attacks on tablets and this is a locked down, BlackBerry-secure environment... We have tons of customers who are absolutely slaughtering us for units. They want it fast.” For RIM, the stakes could not be higher.

If the PlayBook fails to be a hit, Apple (and possibly Google) win by default. In the PlayBook, corporate IT managers finally have a Post-PC tablet that will have many of the same benefits that the iPad offers: multimedia, a fluid touch screen, and what Basillie described as “the tonnage of apps.” But what if the iPad (and forthcoming Android devices) are good enough? With a little bit of effort, the iPad can be configured to enforce the most important security features enterprises tell me they want: strong password controls, encryption, and remote wipe. The iPad also offers clear benefits that even the most paranoid security manager cannot ignore: it boots instantly, requires no maintenance once configured and gets very good battery life.

If established vendors are locked out, the security model for the next ten years shifts radically towards securing consumer devices that companies don't own. Indeed, the future is already here. Consider smartphones. Most companies still have a carefully selected and supported standard for mobile computing. Usually, this is the BlackBerry. But I see plenty of evidence that employee-owned devices are making serious headway. Within Perimeter’s customer base, for example, about 15% of our roughly 200,000 SaaS Secure Messaging users get their Exchange e-mail using a mobile device. As of last quarter, ActiveSync-enabled devices have become more popular on our clients’ networks than BlackBerry. Most of these devices are employee-owned.

Employees love choice, flexibility, and fashion. That is why they are buying iPads by the pallet-load. The rise of consumer-grade Post-PC devices means that IT security must say goodbye to standard hardware platforms, sanctioned corporate anti-malware software, and consistently enforced security policies. That is why they are concerned, and why worried IT managers are RIM’s natural target audience.

Seen against the backdrop of consumerization, the PlayBook’s relative success or failure in the enterprise market is nothing less than a referendum on IT’s ability to impose its will as we enter the Post-PC era. The PlayBook device is essentially IT's last stand. Will safe, IT-sanctioned devices win, or take a back seat to employee and consumer tastes?

By October of this year, the answer should be clear. With six months of PlayBook sales data available, the number of devices RIM has sold will be a strong indicator of who — corporations or consumers — will be in the drivers seat. That, in turn, will directly influence what we as security professionals will have to deal with.

To be judged a success in the Post-PC tablet market, by October RIM needs to sell half as many as Apple does to corporate buyers during Q2 and Q3. Apple will sell about 25 million during that time period, approximately 12 million of which will be used for business purposes. The number RIM needs to hit, therefore, is 6 million PlayBooks. If RIM sells less than that, we will know we’ve hit our inflection point.

Andrew Jaquith is CTO at SilverSky. Prior to his current role, he served as a senior analyst with Forrester Research where he led team coverage for data, endpoint and mobile security topics. Prior to joining Forrester, he was program manager in Yankee Group's enabling technologies enterprise group, with coverage of client security, digital identity, and web application security. Before joining Yankee Group, he co-founded @stake, a security consulting pioneer, which Symantec acquired in 2004. Before @stake, he held project manager and business analyst positions at Cambridge Technology Partners and FedEx. He is the co-developer of the Apache JSPWiki open source wiki software package, and the author of the 2007 Addison-Wesley Professional book "Security Metrics: Replacing Fear, Uncertainty and Doubt." Andrew holds a B.A. in Economics and Political Science from Yale University.